On 8/1/07, Luke Plant <[EMAIL PROTECTED]> wrote:
>
> On Wednesday 01 August 2007 19:56:05 Tom Tobin wrote:
> > Okay, post-Starbucks chat with my co-workers, here's my last-ditch
> > mitigation proposal:
> >
> > Set autoescaping on by default for anything ending in ``.html`` (and,
> > perhaps, ``.htm``), and off otherwise.
>
> -1 on this, it's much too magic for me. If you actually look at
> implementing it, it feels even worse -- you have to modify the
> Template.render() method to use information it doesn't even reliably
> have (the name of the template -- won't exist for templates from
> strings), and then *modify* the context object it is passed in on that
> basis...it's nasty.
I'm indeed assuming implementation issues can be surmounted; right now
I'm just floating the idea, and I'm more than willing to take a crack
at implementation if it gets a reasonable pass.
> Also consider cases where someone goes from using a template inline in a
> Python file (as I have in a few places in my source code for very small
> templates) to having them stored in files. Copying and pasting into a
> new file certainly qualifies as a simple refactor in my mind -- I
> probably wouldn't bother even testing the contents of the output. It
> would be pretty evil if the template could start behaving differently
> after doing this.
Let's assume autoescaping is on unless the template engine knows
otherwise; your inline templates will work as expected both before and
after extraction (again, assuming you're extracting them to a file
ending in ``.html``). Inline templates that shouldn't be escaped can
either be decorated somehow, or have the ``{% autoescape off %}`` tag
prepended. (I'd prefer the former, but my objection for this uncommon
subset of an already uncommon case is weaker than my general
file-template autoescaping objection.)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
